As a technologically aligned manufacturing company, J.K. Cement Ltd. has expanded its business over four decades by developing innovative products beyond the original grey cement on which it built its organization in 1975. Its white cement business, which launched in 1984, has steadily grown the company to be the second largest white cement producer in India. In 2014, J.K. Cement opened its first manufacturing plant outside of India in Fujairah, United Arab Emirates. The business has also expanded its product offerings in this niche market by launching several specialized products, such as white cement-based primer J.K. PrimaxX. “The mindset of our stakeholders has been to always strive for inventing and investing in the latest and best technology, provided that it adds value to the business,” says Jitendra Singh, CIO of J.K. Cement. “This approach to technology has created more efficient ways of working, cut costs, ensured data security, and brought in more revenue.” An SAP customer since 2007, J.K. Cement started its SAP journey with an implementation of SAP ERP with functionality for financial accounting, controlling, materials management, sales and distribution, production planning, quality management, and plant maintenance. Over the next decade, any time the business considered adding new applications to the IT landscape, it always first looked at SAP solutions or applications that integrate with SAP software. And as the organization expanded — today, the business has plants in six locations in India in addition to the Fujairah plant — the SAP landscape grew accordingly. However, in terms of automation for the governance of this growing landscape, processes were still manual and paper based. As the company grew, the need for a stronger controls framework became obvious. Jitendra Singh CIO J.K. Cement Now, we have proof of what has been done, how it was done, and when it was done — and it’s all automated. More than anything else, it has sent a message to users organization-wide that they must be disciplined, be in control, and act carefully. — Jitendra Singh, CIO, J.K. Cement “Like anyone who grows without proper automation, we ended up creating an unwieldy architecture in our SAP system across all departments,” Singh says. Certain user roles had too much access across the various SAP modules, and segregation of duties (SoD) conflicts were increasingly common. The business had to focus on and eliminate any conflicts, for example, if someone in procurement had access to both create or change purchase orders and vendor master data. And it needed to look closely at instances where no documented process was in place for requesting, approving, and provisioning access. “Whenever department heads or functional heads wanted additional access given in SAP ERP to a certain user, they would simply write an email or pick up a phone,” says Singh. “By honoring these requests from end users or managers, over time, we were compromising the governance and security of the organization.” In 2016, after operating more than a year as an international business, J.K. Cement knew it needed to take steps to update its governance processes and put in place a governance platform that would automate the assignment and tracking of access controls. At the same time, the company was increasingly concerned about the costs of SAP licenses and the potential consequence of non-compliance (if any). Getting Ready to Pour J.K. Cement knew that an IT project can sometimes be like pouring concrete: once installed, it can take a lot of money, time, and effort to remove. Consequently, the first steps J.K. Cement took in looking for a governance and control mechanism were to roll out a request for proposals and define a list of selection criteria. The business was looking for a provider that offered the most manageable, least complex, and most user-friendly, end-to-end solution. “We had specific criteria in mind for how to control this situation while not incurring a huge cost,” Singh says. “One was the applicability of the solution with respect to J.K. Cement; second was whether the solution integrated with SAP ERP; and third was what support — hardware or man power — would be required to manage it. Additionally, the solution would need to answer each question raised by the naysayers and end users who were against implementing any technology that would limit their system access.” After evaluating the different options, J.K. Cement decided on the Security Weaver suite and proceeded to deploy nine applications: Separations Enforcer, Secure Provisioning, Emergency Repair, License Management, Process Auditor, Transaction Archive, Reset Password, Role Management, and Role Recertification. The implementation followed a big-bang methodology where all nine applications were deployed at once in under one month. (For more information about the Security Weaver suite, refer to the sidebar at the end of the article.) Once the solution suite was procured, Security Weaver came to present an orientation session at J.K. Cement headquarters in India. “Security Weaver team members gave a small presentation to apprise our top management of exactly what would be involved during the implementation and how the solution suite worked,” says Singh. “Doing so, we demonstrated to the respective stakeholders how vital their support was to the project, especially since we would most likely face some resistance during the implementation” Next was a detailed planning session that involved participation from key users at each plant and the J.K. Cement IT team, including the senior manager overseeing the SAP and Security Weaver applications, as well as resources from Security Weaver. During this planning phase, J.K. Cement identified 18,000 SoD conflicts that needed to be eliminated. J.K. Cement Headquarters: Kanpur, India Industry: Cement manufacturing Employees: 2,745 (2016) Revenue: $557 million+ (2016)< Company details: An affiliate of J.K. Organization, which was founded by Lala Kamlapat Singhania in 1918 Operations commenced in May 1975 with the opening of the Nimbahera grey cement plant in Rajastahan, India (initial capacity of .3 million tons) Currently operating nine plants in seven locations — Nimbahera, Mangrol, Muddapur, and Jharli (grey cement plants); Gotan (grey cement, white cement, and wall putty plants); Katni (wall putty plant); and Fujairah (white cement plant) — with a combined annual capacity of 7.5 million tons Second largest manufacturer of white cement in India (600,000 tons/year) and second largest wall putty producer (700,000 tons/year) International commercial production started in September 2014 in the free trade zone at Fujairah, UAE to cater to the GCC and African markets (0.6 million tons/year) NYSE: JKCEMENT) www.jkcement.com SAP solutions: SAP ERP, SAP Business Warehouse, SAP Business Planning and Consolidation, SAP Treasury and Risk Management, and SAP BusinessObjects solutions Third-party solutions: Security Weaver suite of applications including Separations Enforcer, Secure Provisioning, Emergency Repair, License Management, Process Auditor, Transaction Archive, Reset Password, Role Management, and Role Recertification Curing the Foundation The software was implemented in just under a month. In the next three months, the processes were institutionalized, according to Singh. “The institutionalization period has more to do with organizational management and less to do with the software,” he says. “We ended up creating processes called ‘delegation of authorities,’ which were nonexistent before, to keep risks under control. The idea was that the department heads, as experts in their respective fields, would know best what to do when, what to control, and what not to.” To familiarize all users with the new software, three methods of training were provided. First, the leadership team was apprised on the value the applications would add. Next, the key stakeholders in respective functions were taught how to use the solutions in a more elaborate fashion compared to what was given to the leadership team. Third, extensive training was given to two IT leaders on the manufacturing side and the head of SAP support, all of whom were spread across India. After the core team members were trained on the new software, they communicated to the SAP users across all sites that the new solutions would be implemented in the next 15 days. “Although users were worried about their loss of freedom, we assured them that this would improve their work environment and make their jobs easier,” Singh says. “The three IT team members were available anytime if anyone had issues or needed help, and fortunately, we have had very few calls.” Once the training was complete and the applications were entrenched in users’ daily lives, it did not take long before the first benefits came to light. A Perfect Mix of Aggregate IT projects, like cement, require a balanced blend of ingredients. With cement, too much or too little of one ingredient will prevent it from setting or can cause cracks in the future. For IT projects, the right amount of flexibility, control, simplicity, and automation is key to having a solution that gets adopted quickly and provides value for decades. However, having a solution architecture that was incredibly simple to implement and maintain was only part of the right mix for J.K. Cement. The solution also needed to provide automation that was directly beneficial to the business, and the automation had to be flexible enough to meet the company’s current and future needs. Security Weaver’s Secure Provisioning application did just that and more, according to Singh. “It was just a small piece in terms of the implementation footprint, but came out as a clear winner because provisioning had been one of the major pain points from the end user side,” he says. “Implementing Secure Provisioning helped create a feeling among users that we were doing something positive. That worked in our favor in getting required support from users.” Implementing an automated user provisioning solution helped users and management see that the objective of the security and compliance team was not to constrain or limit the access: IT also wanted to provision access faster. If the access was appropriate, IT wanted users to get it faster than they previously could by sending an email or calling someone. Tightly integrated with Secure Provisioning is the Separations Enforcer application. The solution automates analysis of each request and immediately notifies the requestor, his or her manager, and any other approvers in the request-provisioning workflow if granting the access will create an SoD conflict. By automating the analysis and immediately showing the results, requestors understand if additional approvals will be required, managers understand the implications of the risk without having to wait for IT to do the analysis, and supervisors can determine if, rather than granting access, they should modify the duties of their team members. With these two solutions in place, supervisors or managers can control which users should be given what rights. “The tight integration helps users to be more disciplined prior to approving a request because they see clearly if it might create holes in the system,” Singh says. “It also enables the individual managers and functional heads to analyze who does what in their team — of course, keeping in mind that risk tolerances can differ from one application to another, from one team to another, and from one manager to another.” According to Singh, Security Weaver not only proved simple to implement and flexible enough to adapt to the company’s unique business processes and challenges, it also inspired improvements to J.K. Cement’s business. He says that the new software has led the business to add more structure to the organizational functions, and gives absolute clarity to the department heads as well. “Within procurement, for example, Separations Enforcer has turned out to be a big asset to us,” he says. While provisioning appropriate access faster and finding ways to improve the business have been major wins, it is also important to highlight the numerous access risks that have been purged from the SAP system.  “Today, we have already reduced the list of 18,000 SoD conflicts by 60% — so that’s been a huge achievement,” says Singh. In addition to provisioning and improved security, another area where automation has provided high value involves password management. Previously, if users forgot their password or were locked out of the SAP system because of incorrect password entry, the password reset process took close to two days, which resulted in lost productivity and frustrated users. “No matter what part of the world you are in, people want to be productive,” Singh says. “This application created confidence in the positive changes that were happening and encouraged them to support IT rather than push back.” He says that the company’s process for resetting passwords has been reduced from two days to five minutes, and everyone feels more empowered and productive. The process of improving password management was not sufficient, without also implementing an emergency access solution. In scenarios where a user with certain permissions goes on leave or is unavailable for a length of time, another person or set of individuals must be authorized to receive temporary access to complete the absent individual’s job. Furthermore, there are some authorizations in production that are too sensitive to be given on a permanent basis. In both cases, access must be terminated once it is no longer needed. Previously, assigning and revoking temporary access depended on whether someone remembered or elected to do it. Without an automated solution, managing user access required maintaining a log of access rights for users spread across India. However, with Security Weaver, that tedious burden was eliminated. According to Singh, J.K. Cement found a great mix of value, simplicity, flexibility, and control in Security Weaver’s Emergency Repair module. “With Emergency Repair, no one has to write anything down or keep a log to remember when certain rights are to be assigned and then revoked,” Singh says. “Instead, the application lets you set the number of days or timelines to take back certain rights, and access is automatically revoked from the particular user.” Not only were security administrators happy to eliminate this work, but the robust audit trail created by Emergency Repair delighted auditors. “Auditors appreciate this when they come to review the access and access controls,” he adds. “By taking care of it all automatically, Security Weaver makes their lives easier during audit time.” J.K. Cement realized early that, in addition to lowering access risks, focusing on user management could lower its SAP cost structure and make future investment requirements more predictable. Security Weaver’s License Management application provided the key. It analyzes each user’s interactions with the SAP environment and inspects the roles each user has. Based on an understanding of these roles and interactions, it can accurately and continuously assess which SAP licenses are required. Over time, it is also able to show historic consumption and anticipate how long the existing inventory of user licenses will last. The License Management application has helped J.K. Cement to increase control and reduce risk through automated role-based license management. Now the organization can anticipate when more licenses will be needed and avoid an unexpected and disruptive expense triggered by an SAP license audit. Furthermore, because Security Weaver’s solution optimizes how user licenses are allocated and avoids giving users a full professional license when all they need is a limited professional license, over time, it can lower the SAP cost structure of the enterprise. Building on a Safe and Strong Foundation “In March 2018, our annual financial close will trigger a review of user roles, and that’s when the next wave of value will be realized,” says Singh. “Department heads and functional teams will have the visibility into what was given to whom — and over time, if the roles and responsibilities of a department change, they will have the ability to look at the roles and redefine them.” Singh expects the Reset Password, Role Management, and Role Recertification modules to provide tremendous value at that time. Installing these tools prior to the annual financial close will allow J. K. Cement to explore their capabilities and accelerate time to value when the role review process begins. Security Weaver’s Transaction Archive application is expected to also greatly facilitate the role review process due to the rich user analytics it delivers. By providing data on how users are exercising their roles and interacting with the system, it enables J. K. Cement to know which roles were designed properly and the implications of removing roles from a user. However, according to Singh, J. K. Cement is not waiting for its role review process to start before getting value from Transaction Archive, which is already providing the business with unprecedented forensic capabilities and helping to keep users accountable. “Now, we have proof of what was done, how it was done, and when it was done — and it’s all automated,” says Singh. “More than anything else, it sent a message to users organization-wide that they must be disciplined, be in control, and act carefully.” Establishing a tone from the top that stresses compliance sends a strong message about the importance placed by senior leadership on proper governance, risk management, security, and compliance. In addition to understanding the value of user analytics, J.K. Cement understands the value of strong and well-controlled processes. The business included process design and control early in its planning for selecting a compliance and security solution. This was where Process Auditor came into play. By using Security Weaver’s prebuilt templates that come standard with Process Auditor, J.K. Cement was able to rapidly customize and put up controls to ensure proper risk management — controls that went beyond user access and considered both user transactions and master data. For example, J. K. Cement now sends alerts when certain master records change or if a vendor bank account matches an employee’s bank account. The business also has more control over high value transactions and SAP transports. According to Singh, J.K. Cement sees many opportunities for extending process controls to ensure compliance, consistency, and increased efficiency, and is excited to build on the firm foundation now in place. Envisioning a Stable Future J.K. Cement has, in fact, eliminated the risk of users knowingly or unknowingly carrying out fraudulent activity. While the business hasn’t had problems with fraud in the past, according to Singh, it would be virtually impossible for individual users to get away with fraud in the future. “In terms of data and processes, we are now more in control, and in a more confident state with regard to understanding and plugging any security holes related to access that could be a potential risk to the business,” he says. With renewed certainty in the security of the SAP landscape, J.K. Cement is ready to take the next step in its SAP journey and move on to SAP S/4HANA. This migration project, set to begin in 2018, has been planned since before the Security Weaver implementation. Consequently, the criteria for the security platform included that the solution be compatible with SAP S/4HANA. Security Weaver’s SAP certifications with SAP S/4HANA and other SAP platforms mean that J. K. Cement is secure in its future and its security platform is ready for SAP S/4HANA. J.K. Cement continues to honor the mindset of its stakeholders by striving to invent and invest in the latest and greatest technology to add value and provide world class operations. As it does so, IT and the business will keep in mind three takeaways that Singh saw successfully demonstrated in this project: “First, when selecting and implementing software, don’t do it half-heartedly; Second, implement the solution as quickly as possible; Third, don’t compromise on governance and control because you don’t have to.” Security Weaver Helps J.K. Cement Improve Its Governance and Controls Security Weaver partners with organizations to rapidly deliver efficient controls. Its solutions and services satisfy the most demanding enterprises without sacrificing the usability imperatives or ignoring the budget and staff constraints of smaller companies. Any organization improving the business value of its compliance-related investments can trust Security Weaver to deliver governance, risk, and compliance (GRC) solutions fitted to match their unique requirements and individual technology roadmaps. Security Weaver’s solution architecture ensures superior application performance, rapid implementations across diverse environments, and high returns on compliance-related investments. Security Weaver provided J.K. Cement with a proven platform for reducing cost and increasing productivity in its SAP environment. Regarding this partnership, Terry Hirsch, CEO at Security Weaver, says, “At Security Weaver, we pride ourselves on offering solutions that can be deployed quickly, scale indefinitely, and support best practices, with low ongoing maintenance requirements. We are pleased to see that J.K. Cement has successfully leveraged our solutions to create a leaner, more efficient enterprise, and to optimize their user management processes.” Security Weaver also offers automated password reset, role recertification, and role management solutions, as well as, GRC implementation services, solutions for transaction monitoring, process auditing, and emergency access management. It offers custom applications to the smallest and largest SAP customers. Visit www.securityweaver.com/SAP-insider for more information.